Network management systems monitor and manage access to internal resources of a network. The management systems are commonly used throughout local networks and wide-area networks such as the Internet. In general, management systems authenticate a user, and grant privileges or authorizations for access to the network's resources. Examples of network management systems include Resource Management Essentials and CiscoWorks 2000, from Cisco Systems, Inc., San Jose, Calif.
With some network management systems, users are assigned privileges of a class after they are authenticated. The class identification allows that user to receive privileges for accessing that network's resources. The policy that manages the user is tailored for the class. For example, users may identify themselves as “administrator.” The network may have a policy to manage access to specific network resources for the “administrator.”
The user's class status may be employed throughout that user's administrative domain, where the user was authenticated. Typically, if such users attempt to carry out an operation outside of their currently authenticated administrative domain, the class status is not valid anymore. The user may have to be authenticated in a new administrative domain to receive a new class status. The effect of this, from the user's perspective, is that the user is repeatedly presented with prompts to enter a username and password as the user moves from domain to domain. This interrupts the workflow of the user, and is time-consuming and awkward. Therefore, there is a need for a way to authenticate a user once and have the authentication remain usable and valid as the user moves among administrative domains.
Many current systems are in place to broaden authentication services for network management. One system, Kerberos, developed as part of “Project Athena” at the Massachusetts Institute of Technology, provides an encrypted ticket to clients. The clients can use the tickets to access network resources. The tickets contain identifications of the users. The user's identification is encrypted until the ticket is sent to a service. The service uses an encryption key to identify the user. The ticket also determines information about the user's authentication. In this way, the encrypted ticket serves as an authentication for attempting to access a supporting service. However, Kerberos is complex to implement and requires an extensive supporting infrastructure to work.
Based on the foregoing, there is a clear need in the field for a way of simplifying identification and authorization processes to allow for easier management of network resources to externally authenticated users.
There is a specific need for a way to identify authenticated users by roles or classes to external systems that manage network resources, without using particular identifiers of the users.